From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Checking signatures on source tarballs Date: Tue, 06 Oct 2015 22:07:20 -0400 Message-ID: <8737xntorr.fsf_-_@netris.org> References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47569) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zje97-0002FJ-9J for guix-devel@gnu.org; Tue, 06 Oct 2015 22:07:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zje94-0004oX-29 for guix-devel@gnu.org; Tue, 06 Oct 2015 22:07:57 -0400 In-Reply-To: <87a8rwf2vl.fsf@gmail.com> (Alex Kost's message of "Tue, 06 Oct 2015 18:11:42 +0300") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Alex Kost Cc: guix-devel@gnu.org Alex Kost writes: > Ludovic Court=C3=A8s (2015-10-05 18:55 +0300) wrote: > >> Alex Kost skribis: >> >>> Ludovic Court=C3=A8s (2015-10-04 19:57 +0300) wrote: >>> >>>> However, if this is =E2=80=9Ctoo convenient=E2=80=9D, I=E2=80=99m afra= id this would give an >>>> incentive to not check OpenPGP signatures when they are available. >>> >>> Sorry, I have no idea what it means :-( >> >> When upstream digitally signs its source code tarballs, packagers should >> check those signatures to authenticate the code they have. >> >> If the tool makes it too easy to fill out the =E2=80=98sha256=E2=80=99 f= ield without >> going through the trouble of downloading the =E2=80=98.sig=E2=80=99 file= and checking >> it, then people will have an incentive not to check those signatures. > > Oh, now I see what you mean. Well, I don't know, I think if a user has > a habbit to check a signature, he will check it anyway; and if not, then > not. I share Ludovic's concern. It is a serious problem if packagers fail to check signatures. We should not provide mechanisms that encourage such behavior. It jeopardizes the security of every user of those packages. IMO, we should rather be going in the other direction, to formalize and automate the checking of signatures. IMO, our 'origin' objects should include a set of fingerprints of acceptable GPG signing keys for that package, as well as information on how to find the signature (in cases where it cannot be guessed). This would have several beneficial effects: * If the packager downloaded a key belonging to a man-in-the-middle (quite possible given that we rarely have a validated chain of trust to the developer), then that bad key will be stored in our git repo for all to see, allowing someone to notice that it's the wrong key. * When the package is later updated, it will not be possible for a new man-in-the-middle attack to be made on us. If a new signing key is used, we cannot fail to notice it. It will raise a red flag and we can investigate. * It would strongly encourage packagers to do these checks, and make it obvious to reviewers or users when the packager failed to do so. It would also make it easy to find unsigned packages, so that we can encourage upstream to start signing the packages, at least for the most important ones. Also, our linter should download and check the signature, so that it's easy for others to independently check the verification done by the original packager. What do you think? Mark